Categories



Tags



Calendar



Recent comments

Security issue in Image Uploader

in Image Uploader
posted by Andrew on 26 November 2007, 21:55

Recently we got a report that Image Uploader suffers from buffer overrun vulnerability. A BID was submitted by Elazar Broad to http://www.securityfocus.com, and he emailed us to inform about it. I am taking an  opportunity to thank Elazar for all his help with it. Here is this BID:  

http://www.securityfocus.com/bid/26537

It happened on weekends, so we had to go to the office on Sunday. Fortunately the problem was not difficult to locate and fix. So we have released version 4.5.70 which does not have this proble, and now we are informing all our customers to update Image Uploader on their websites.

You may wonder why this issue is so important. The problem is that buffer overrun vulnerability means that malicious persons can execute arbitrary code (including malware of course) on each computer where Image Uploader is installed. Many millions of people who visit websites of our customers are under the risk. If you are interested what buffer overrun is, here is a Wikipedia article:

http://en.wikipedia.org/wiki/Buffer_overrun 

So we urge everybody who uses Image Uploader to upload files to their websites to install the latest version. It is downloadable from the Image Uploader download page

Now here is a small FAQ.

Q: What versions of Image Uploader are vulnerable? 

A: All Image Uploader builds of 4.x family, except of 4.5.70 of course.

Q: What about previous versions?

A: This issue appeared when we added possibility to navigate to the arbitrary folder through the JavaScript. This feature was introduced in the 4.0 version. So if you are using version 3.5 or earlier, this issue does not affect you. 

However if you received version 3.x after we officially discontinued it, please contact us. We need to check it out.

Q: Where to download the fixed version?

A: First of all, you can download the latest version from the Image Uploader download page:

http://www.aurigma.com/Products/ImageUploader/FreeTrial.aspx

Q: How to install the update?

A: The update installation process is the same as described in documentation. In short:

  1. Download the latest .cab file (it should be version 4.5.70 or later).
  2. Replace it on your server.
  3. Update the version number in Image Uploader initialization block. It should be looking like this: iu.activeXControlVersion = "4,5,70,0";
Q: Is the update free?

A: This is a minor update. According to our upgrade policy, minor updates are free.

Q: I still have questions. Where I can get more information?

A: Please email us at info@aurigma.com.

, , ,
E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (2) | Post RSSRSS comment feed

Comments

codesmith 11/27/2007 5:45:37 AM

codesmith
I don't quite understand the security issue. The Javascript example on the securityfocus.com shows a big loop instantiating the ActiveX control over and over. But isn't this just going to cause a buffer overrun on the computer that's running the script - how will that affect other users? Or could this only be brought about if a site with the ActiveX control gets hacked and the user is tricked into executing the javascript. And then what's the worse that could happen? The browser crashes?

Andrew 11/29/2007 10:11:21 PM

Andrew
Let's see how potential malicious persons can utilize this security flaw. A hacker writes the JavaScript which uses this buffer overflow bug to run malicious code, e.g. virus, trojan or whatever. It is not as difficult as may seem. Read article in Wikipedia about buffer overrun for better understanding how it works (it requires some Assembler knowledge though).  Then the hacker use phishing to have some person to open the page containing the malicious JavaScript. Alternatively they can use cross-site scripting technique to inject this JavaScript to other sites.

So you see, this is quite serious. Each user who has vulnerable version of Image Uploader potentially may run some malware from the web without any knowledge of it.

P.S. If you do not know about phishing or cross-site scripting, I recommend to take a look in these Wikipedia articles:

http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Cross-site_scripting

Add comment




  Country flag

biuquote
  • Comment
  • Preview
Loading